EIP-2026-114432

PRE-CVE

XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114432. PoCs published by Ahsan Tahir.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in XhP CMS 0.5.1 that leads to persistent XSS. It generates an HTML file that, when visited by an admin, changes the site title to an XSS payload.

Description

XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC

by Ahsan Tahir · pythonwebappsphp

https://www.exploit-db.com/exploits/40576

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in XhP CMS 0.5.1 that leads to persistent XSS. It generates an HTML file that, when visited by an admin, changes the site title to an XSS payload.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: XhP CMS 0.5.1

No auth needed

Prerequisites: Target URL · Admin user interaction

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026